Allow installd, vold, system_server unlabeled access.

The bugs that motivated bringing back the unlabeled allowall rules,
https://android-review.googlesource.com/#/c/94971/
should be resolved by the following changes:
https://android-review.googlesource.com/#/c/94966/
https://android-review.googlesource.com/#/c/96080/

Beyond those changes, installd needs to be able to remove package directories
for apps that no longer exist or have moved (e.g. to priv-app) on upgrades, so
allow it the permissions required for this purpose.  vold needs to be able
to chown/chmod/restorecon files in asec containers so allow it the
permissions to do so.  system_server tries to access all /data/data
subdirectories so permit it to do so.  installd and system_server
read the pkg.apk file before it has been relabeled by vold and therefore
need to read unlabeled files.

Change-Id: I70da7d605c0d037eaa5f3f5fda24f5e7715451dc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

1 files changed, 5 insertions, 2 deletions

diff --git a/vold.te b/vold.te
index 30cd9d2..0247bfe 100644
--- a/vold.te
+++ b/vold.te
@@ -71,10 +71,13 @@ allow vold ctl_fuse_prop:property_service set;
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
 security_access_policy(vold)
-allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom };
+allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto };
 allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
 allow vold asec_public_file:file { relabelto setattr };
+# restorecon files in asec containers created on 4.2 or earlier.
+allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vold unlabeled:file { r_file_perms setattr relabelfrom };
 
 # Handle wake locks (used for device encryption)
 wakelock_use(vold)